Re: [DNSOP] Last Call: <draft-ietf-dnsop-refuse-any-07.txt> (Providing Minimal-Sized Responses to DNS Queries that have QTYPE=ANY) to Proposed Standard

Tony Finch <dot@dotat.at> Tue, 21 August 2018 19:31 UTC

Return-Path: <dot@dotat.at>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C5F70130E79; Tue, 21 Aug 2018 12:31:55 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.199
X-Spam-Level:
X-Spam-Status: No, score=-4.199 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, URIBL_BLOCKED=0.001] autolearn=unavailable autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id qYBnaEUuJ9m7; Tue, 21 Aug 2018 12:31:54 -0700 (PDT)
Received: from ppsw-31.csi.cam.ac.uk (ppsw-31.csi.cam.ac.uk [131.111.8.131]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 660A4130E67; Tue, 21 Aug 2018 12:31:54 -0700 (PDT)
X-Cam-AntiVirus: no malware found
X-Cam-ScannerInfo: http://help.uis.cam.ac.uk/email-scanner-virus
Received: from grey.csi.cam.ac.uk ([131.111.57.57]:47156) by ppsw-31.csi.cam.ac.uk (ppsw.cam.ac.uk [131.111.8.137]:25) with esmtps (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) id 1fsCNa-000Apk-KQ (Exim 4.91) (return-path <dot@dotat.at>); Tue, 21 Aug 2018 20:31:50 +0100
Date: Tue, 21 Aug 2018 20:31:50 +0100
From: Tony Finch <dot@dotat.at>
To: Paul Wouters <paul@nohats.ca>
cc: Ólafur Guðmundsson <olafur=40cloudflare.com@dmarc.ietf.org>, draft-ietf-dnsop-refuse-any@ietf.org, Ted Hardie <ted.ietf@gmail.com>, dnsop-chairs <dnsop-chairs@ietf.org>, dnsop <dnsop@ietf.org>, IETF <ietf@ietf.org>
In-Reply-To: <alpine.LRH.2.21.1808211302580.20934@bofh.nohats.ca>
Message-ID: <alpine.DEB.2.20.1808212016270.3596@grey.csi.cam.ac.uk>
References: <153486715184.9380.13157158969854115906.idtracker@ietfa.amsl.com> <CA+9kkMCp3e8SPwLdFHjDjPWRPrNMwdO8SqtGA1Zfm=GBTBjaPA@mail.gmail.com> <CAN6NTqyD4AOSHXWB1GMmFbEwuP9h2Q0Q7JN7=EWxojnzbey8gA@mail.gmail.com> <alpine.LRH.2.21.1808211302580.20934@bofh.nohats.ca>
User-Agent: Alpine 2.20 (DEB 67 2015-01-07)
MIME-Version: 1.0
Content-Type: multipart/mixed; BOUNDARY="1870870841-397692513-1534879910=:3596"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/jUroJtiUH07880xf2K79eP_3ESI>
Subject: Re: [DNSOP] Last Call: <draft-ietf-dnsop-refuse-any-07.txt> (Providing Minimal-Sized Responses to DNS Queries that have QTYPE=ANY) to Proposed Standard
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.27
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 21 Aug 2018 19:31:56 -0000

Paul Wouters <paul@nohats.ca> wrote:
> On Tue, 21 Aug 2018, Ólafur Guðmundsson wrote:
>
> > Ted, Would it be acceptable to just do 
> > s/TCP/Connection oriented Transport/ 
>
> For RFC 7901 we used "source-IP-verified transport"

I don't think that's a good idea, because it suggests oversised responses
over UDP with cookies. I wanted minimal-any in order to reduce both UDP
fragmentation and fallback to TCP for all UDP queries from legitimate
clients. (Spoofed queries are dealt with by RRL.)

I suggest:

4.4.  Behaviour over different DNS transports

   A DNS responder MAY behave differently when processing ANY queries
   received over different DNS transports or with different levels
   of client authentication, e.g. by providing a conventional
   ANY response over TCP whilst using one of the other mechanisms
   specified in this document in the case where a query was received
   using UDP.

   Implementers SHOULD provide configuration options to allow operators
   to specify different behaviour over different DNS transports or for
   authenticated clients.

(the TCP/UDP e.g. is just a non-normative example; more outre transports
and options are covered by the normative text)

Tony.
-- 
f.anthony.n.finch  <dot@dotat.at>  http://dotat.at/
Bailey: Northwest 5 or 6, backing west 5 to 7. Moderate or rough. Showers.
Good.